From 1223b381856fd7266e01d0d5b2bfa5c5a4a16157 Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Mon, 20 Apr 2026 21:13:41 +0000
Subject: [PATCH 1/8] feat(auth-service): nonce-based CSP and deny-by-default
 /metrics

Replace the auth service's Content-Security-Policy script-src
'unsafe-inline' with a per-response nonce. The security-headers
middleware now generates a fresh base64url nonce on every request,
stamps it into script-src, and exposes it via res.locals.cspNonce
so templates can emit <script nonce="..."> for inline scripts. All
inline scripts ePDS ships (login page, choose-handle page, preview
index) are threaded through to read and stamp the nonce.

Also tighten /metrics on the auth service: if PDS_ADMIN_PASSWORD is
unset, return 401 instead of serving metrics unauthenticated, so a
missing env var can't silently open the endpoint.

Extract the inline security-headers middleware into its own module
with dedicated unit tests (7 tests) covering the nonce contract,
baseline headers, and client-origin img-src.

Enable 5 previously-pending security.feature scenarios: two CSRF
checks (targeting the server-rendered recovery form, which uses
ePDS's own CSRF middleware rather than better-auth's), the
security-headers table, the CSP check, and the metrics 401. New
step definitions live in e2e/step-definitions/security.steps.ts.
---
 .changeset/csp-nonce-and-metrics-auth.md      |  11 +
 e2e/step-definitions/security.steps.ts        | 210 ++++++++++++++++++
 features/security.feature                     |  40 ++--
 .../src/__tests__/login-page.test.ts          |   1 +
 .../src/__tests__/security-headers.test.ts    |  44 ++++
 packages/auth-service/src/index.ts            |  24 +-
 .../auth-service/src/lib/security-headers.ts  |  36 ++-
 .../auth-service/src/routes/choose-handle.ts  |   8 +-
 .../auth-service/src/routes/login-page.ts     |   4 +-
 packages/auth-service/src/routes/preview.ts   |   3 +
 packages/shared/src/index.ts                  |   1 +
 packages/shared/src/preview-ui.ts             |  31 ++-
 12 files changed, 373 insertions(+), 40 deletions(-)
 create mode 100644 .changeset/csp-nonce-and-metrics-auth.md
 create mode 100644 e2e/step-definitions/security.steps.ts

diff --git a/.changeset/csp-nonce-and-metrics-auth.md b/.changeset/csp-nonce-and-metrics-auth.md
new file mode 100644
index 00000000..14b958d2
--- /dev/null
+++ b/.changeset/csp-nonce-and-metrics-auth.md
@@ -0,0 +1,11 @@
+---
+'ePDS': minor
+---
+
+Auth service tightens its Content-Security-Policy and locks down the metrics endpoint.
+
+**Affects:** Operators
+
+**Operators:** the auth service's `Content-Security-Policy` response header now uses a per-response nonce on the `script-src` directive instead of `'unsafe-inline'`. The resulting policy looks like `default-src 'self'; script-src 'self' 'nonce-<base64url>'; style-src 'self' 'unsafe-inline'; img-src 'self' data: [client-origin]; connect-src 'self'`. All inline `<script>` tags that ePDS ships are already stamped with the matching nonce, so there is nothing to do on upgrade — but any operator-supplied HTML overlay or injected script that the auth service happens to serve inline will now be blocked by the browser unless it is updated to read `res.locals.cspNonce` and stamp `<script nonce="...">`. External scripts loaded via `src=` are unaffected.
+
+The `/metrics` endpoint on the auth service is now deny-by-default: if `PDS_ADMIN_PASSWORD` is unset, the endpoint returns `401 Unauthorized` instead of serving metrics unauthenticated. Previously, unset meant "no auth required", which leaked process uptime, RSS memory, and database counters to anyone who could reach the auth service's `/metrics` path. Operators who relied on the open endpoint must set `PDS_ADMIN_PASSWORD` and send HTTP Basic auth as `admin:<password>` to continue scraping.
diff --git a/e2e/step-definitions/security.steps.ts b/e2e/step-definitions/security.steps.ts
new file mode 100644
index 00000000..a58c38e3
--- /dev/null
+++ b/e2e/step-definitions/security.steps.ts
@@ -0,0 +1,210 @@
+/**
+ * Step definitions for security.feature. These scenarios run direct HTTP
+ * requests (no browser) because they assert on response headers, status
+ * codes, and raw HTML — not user interaction.
+ */
+
+import { When, Then } from '@cucumber/cucumber'
+import type { DataTable } from '@cucumber/cucumber'
+import type { EpdsWorld } from '../support/world.js'
+import { testEnv } from '../support/env.js'
+
+/** Response captured by the most recent direct-fetch step. */
+interface CapturedResponse {
+  status: number
+  headers: Headers
+  body: string
+}
+
+const capturedBySymbol = new WeakMap<EpdsWorld, CapturedResponse>()
+
+function setCapturedResponse(
+  world: EpdsWorld,
+  response: CapturedResponse,
+): void {
+  capturedBySymbol.set(world, response)
+  world.lastHttpStatus = response.status
+}
+
+function getCapturedResponse(world: EpdsWorld): CapturedResponse {
+  const captured = capturedBySymbol.get(world)
+  if (!captured) {
+    throw new Error('No response has been captured by a prior step')
+  }
+  return captured
+}
+
+async function captureGet(
+  world: EpdsWorld,
+  url: string,
+  init?: RequestInit,
+): Promise<void> {
+  const res = await fetch(url, { redirect: 'manual', ...init })
+  const body = await res.text()
+  setCapturedResponse(world, { status: res.status, headers: res.headers, body })
+}
+
+// ---------------------------------------------------------------------------
+// CSRF scenarios
+// ---------------------------------------------------------------------------
+
+When('the recovery page is loaded', async function (this: EpdsWorld) {
+  const recoveryUrl = `${testEnv.authUrl}/auth/recover?request_uri=urn:ietf:params:oauth:request_uri:req-security-probe`
+  await captureGet(this, recoveryUrl)
+})
+
+Then('the response sets a CSRF cookie', function (this: EpdsWorld) {
+  const { headers } = getCapturedResponse(this)
+  const setCookie = headers.get('set-cookie') ?? ''
+  if (!/epds_csrf=/.test(setCookie)) {
+    throw new Error(
+      `Expected Set-Cookie to include epds_csrf=..., got: ${setCookie || '(none)'}`,
+    )
+  }
+})
+
+Then(
+  'the HTML form contains a hidden CSRF token field',
+  function (this: EpdsWorld) {
+    const { body } = getCapturedResponse(this)
+    if (!/<input[^>]*type="hidden"[^>]*name="csrf"[^>]*>/.test(body)) {
+      throw new Error('HTML response has no hidden CSRF input field')
+    }
+  },
+)
+
+When(
+  'a POST request is sent to the recovery endpoint without a CSRF token',
+  async function (this: EpdsWorld) {
+    const res = await fetch(`${testEnv.authUrl}/auth/recover`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        request_uri: 'urn:ietf:params:oauth:request_uri:req-security-probe',
+        email: 'noone@example.com',
+      }).toString(),
+      redirect: 'manual',
+    })
+    const body = await res.text()
+    setCapturedResponse(this, {
+      status: res.status,
+      headers: res.headers,
+      body,
+    })
+  },
+)
+
+Then('the response status is {int}', function (this: EpdsWorld, code: number) {
+  const { status } = getCapturedResponse(this)
+  if (status !== code) {
+    throw new Error(`Expected status ${code}, got ${status}`)
+  }
+})
+
+// ---------------------------------------------------------------------------
+// Security headers scenario
+// ---------------------------------------------------------------------------
+
+When(
+  'any page is loaded from the auth service',
+  async function (this: EpdsWorld) {
+    await captureGet(this, `${testEnv.authUrl}/health`)
+  },
+)
+
+Then(
+  'the response includes the following security headers:',
+  function (this: EpdsWorld, table: DataTable) {
+    const { headers } = getCapturedResponse(this)
+    const missing: string[] = []
+    for (const row of table.hashes()) {
+      const expected = row.value
+      const actual = headers.get(row.header)
+      if (actual !== expected) {
+        missing.push(
+          `${row.header}: expected "${expected}", got "${actual ?? '(missing)'}"`,
+        )
+      }
+    }
+    if (missing.length) {
+      throw new Error(`Security header mismatch:\n  ${missing.join('\n  ')}`)
+    }
+  },
+)
+
+// ---------------------------------------------------------------------------
+// CSP scenario
+// ---------------------------------------------------------------------------
+
+When('the login page is loaded', async function (this: EpdsWorld) {
+  // /oauth/authorize on the PDS renders the auth-service login page via
+  // the epds-callback redirect chain, but hitting it without a valid
+  // request_uri triggers an error response before headers are set the
+  // way we want. The auth service exposes a preview route that renders
+  // the same login template, guarded by AUTH_PREVIEW_ROUTES. If preview
+  // is off, fall back to a probe of any auth-service page — the CSP
+  // header is applied globally by the security-headers middleware, so
+  // an auth-service /health response carries the same header.
+  const previewUrl = `${testEnv.authUrl}/preview/login`
+  let res = await fetch(previewUrl, { redirect: 'manual' })
+  if (res.status === 404) {
+    res = await fetch(`${testEnv.authUrl}/health`, { redirect: 'manual' })
+  }
+  const body = await res.text()
+  setCapturedResponse(this, { status: res.status, headers: res.headers, body })
+})
+
+Then(
+  'the Content-Security-Policy header is present',
+  function (this: EpdsWorld) {
+    const { headers } = getCapturedResponse(this)
+    if (!headers.get('content-security-policy')) {
+      throw new Error('Content-Security-Policy header is not set')
+    }
+  },
+)
+
+function getScriptSrcDirective(csp: string): string {
+  const match = /(?:^|;\s*)script-src\s+([^;]+)/.exec(csp)
+  if (!match) {
+    throw new Error(`CSP is missing a script-src directive: "${csp}"`)
+  }
+  return match[1].trim()
+}
+
+Then(
+  'the script-src directive does not allow unsafe-inline',
+  function (this: EpdsWorld) {
+    const { headers } = getCapturedResponse(this)
+    const csp = headers.get('content-security-policy') ?? ''
+    const scriptSrc = getScriptSrcDirective(csp)
+    if (/'unsafe-inline'/.test(scriptSrc)) {
+      throw new Error(
+        `script-src directive allows 'unsafe-inline': "${scriptSrc}"`,
+      )
+    }
+  },
+)
+
+Then(
+  'the script-src directive carries a per-response nonce',
+  function (this: EpdsWorld) {
+    const { headers } = getCapturedResponse(this)
+    const csp = headers.get('content-security-policy') ?? ''
+    const scriptSrc = getScriptSrcDirective(csp)
+    if (!/'nonce-[A-Za-z0-9_-]+'/.test(scriptSrc)) {
+      throw new Error(`script-src directive has no 'nonce-...': "${scriptSrc}"`)
+    }
+  },
+)
+
+// ---------------------------------------------------------------------------
+// Metrics scenario
+// ---------------------------------------------------------------------------
+
+When(
+  'GET \\/metrics is called on the auth service without credentials',
+  async function (this: EpdsWorld) {
+    await captureGet(this, `${testEnv.authUrl}/metrics`)
+  },
+)
diff --git a/features/security.feature b/features/security.feature
index f8d0b005..f455bc93 100644
--- a/features/security.feature
+++ b/features/security.feature
@@ -8,15 +8,17 @@ Feature: Security measures
 
   # --- CSRF protection ---
 
-  @pending
-  Scenario: Forms include CSRF protection
-    When the login page is loaded
+  Scenario: Server-rendered forms include a CSRF token
+    # The login page submits via JS fetch to better-auth, which enforces its
+    # own CSRF protections at the handler level. Server-rendered HTML forms
+    # (recovery, choose-handle, account-settings) use ePDS's CSRF middleware
+    # and must carry a matching hidden token field.
+    When the recovery page is loaded
     Then the response sets a CSRF cookie
     And the HTML form contains a hidden CSRF token field
 
-  @pending
-  Scenario: POST without CSRF token is rejected
-    When a POST request is sent to the OTP verification endpoint without a CSRF token
+  Scenario: POST to a CSRF-protected route without a token is rejected
+    When a POST request is sent to the recovery endpoint without a CSRF token
     Then the response status is 403
 
   # --- Rate limiting ---
@@ -34,21 +36,20 @@ Feature: Security measures
 
   # --- Security headers ---
 
-  @pending
   Scenario: Auth service responses include security headers
-    When any page is loaded from the auth service via Caddy
-    Then the response includes:
-      | header                    | value            |
-      | Strict-Transport-Security | max-age=31536000 |
-      | X-Frame-Options           | DENY             |
-      | X-Content-Type-Options    | nosniff          |
-      | Referrer-Policy           | no-referrer      |
-
-  @pending
-  Scenario: Content-Security-Policy restricts inline content
+    When any page is loaded from the auth service
+    Then the response includes the following security headers:
+      | header                    | value                                         |
+      | Strict-Transport-Security | max-age=63072000; includeSubDomains; preload  |
+      | X-Frame-Options           | DENY                                          |
+      | X-Content-Type-Options    | nosniff                                       |
+      | Referrer-Policy           | no-referrer                                   |
+
+  Scenario: Content-Security-Policy restricts inline scripts
     When the login page is loaded
     Then the Content-Security-Policy header is present
-    And it does not allow unsafe-inline scripts
+    And the script-src directive does not allow unsafe-inline
+    And the script-src directive carries a per-response nonce
 
   # --- Monitoring ---
 
@@ -59,12 +60,9 @@ Feature: Security measures
     When GET /health is called on the PDS core
     Then it returns status 200 with { "status": "ok" }
 
-  @pending
   Scenario: Metrics endpoint requires authentication
     When GET /metrics is called on the auth service without credentials
     Then the response status is 401
-    When GET /metrics is called with valid Basic auth credentials
-    Then the response includes uptime and memory usage metrics
 
   # --- Same-site deployment topology (sec-fetch-site) ---
   #
diff --git a/packages/auth-service/src/__tests__/login-page.test.ts b/packages/auth-service/src/__tests__/login-page.test.ts
index 420bfd66..ef4c7244 100644
--- a/packages/auth-service/src/__tests__/login-page.test.ts
+++ b/packages/auth-service/src/__tests__/login-page.test.ts
@@ -430,6 +430,7 @@ describe('renderLoginPage handle login button', () => {
       pdsPublicUrl: 'https://pds.example.com',
       otpLength: 6,
       otpCharset: 'numeric',
+      cspNonce: 'test-nonce',
     })
   }
 
diff --git a/packages/auth-service/src/__tests__/security-headers.test.ts b/packages/auth-service/src/__tests__/security-headers.test.ts
index ee438aa6..fc258759 100644
--- a/packages/auth-service/src/__tests__/security-headers.test.ts
+++ b/packages/auth-service/src/__tests__/security-headers.test.ts
@@ -53,6 +53,20 @@ describe('buildAuthServiceCsp', () => {
     expect(csp).toContain("style-src 'self' 'unsafe-inline'")
     expect(csp).toContain("connect-src 'self'")
   })
+
+  it('uses the nonce in script-src and drops unsafe-inline from script-src when nonce is supplied', () => {
+    const csp = buildAuthServiceCsp(null, 'abc123')
+    expect(csp).toContain("script-src 'self' 'nonce-abc123'")
+    expect(csp).not.toContain("script-src 'self' 'unsafe-inline'")
+    // style-src keeps 'unsafe-inline' — scoped fallback for our own stylesheets.
+    expect(csp).toContain("style-src 'self' 'unsafe-inline'")
+  })
+
+  it('still widens img-src when both client_id and nonce are supplied', () => {
+    const csp = buildAuthServiceCsp('https://app.example.com/cm.json', 'abc123')
+    expect(csp).toContain("img-src 'self' data: https://app.example.com")
+    expect(csp).toContain("script-src 'self' 'nonce-abc123'")
+  })
 })
 
 describe('extractClientIdFromRequest', () => {
@@ -107,6 +121,7 @@ describe('createSecurityHeadersMiddleware', () => {
       setHeader: vi.fn((name: string, value: string) => {
         calls.push([name, value])
       }),
+      locals: {} as Record<string, unknown>,
     }
     return { res, calls }
   }
@@ -163,6 +178,35 @@ describe('createSecurityHeadersMiddleware', () => {
     expect(csp).toContain("img-src 'self' data: https://app.example.com")
   })
 
+  it('writes a base64url nonce to res.locals.cspNonce', () => {
+    const mw = createSecurityHeadersMiddleware()
+    const { res } = makeRes()
+    mw({ query: {} }, res, () => {})
+    const nonce = res.locals.cspNonce
+    expect(typeof nonce).toBe('string')
+    expect(nonce as string).toMatch(/^[A-Za-z0-9_-]+$/)
+    // 16 random bytes base64url-encoded = 22 chars (no padding).
+    expect((nonce as string).length).toBeGreaterThanOrEqual(20)
+  })
+
+  it('uses the same nonce value in script-src that it wrote to res.locals', () => {
+    const mw = createSecurityHeadersMiddleware()
+    const { res, calls } = makeRes()
+    mw({ query: {} }, res, () => {})
+    const nonce = res.locals.cspNonce as string
+    const csp = calls.find(([name]) => name === 'Content-Security-Policy')?.[1]
+    expect(csp).toContain(`script-src 'self' 'nonce-${nonce}'`)
+  })
+
+  it('generates a fresh nonce per request', () => {
+    const mw = createSecurityHeadersMiddleware()
+    const first = makeRes()
+    const second = makeRes()
+    mw({ query: {} }, first.res, () => {})
+    mw({ query: {} }, second.res, () => {})
+    expect(first.res.locals.cspNonce).not.toBe(second.res.locals.cspNonce)
+  })
+
   it('prefers direct client_id over authFlowLookup', () => {
     const lookup = vi.fn(() => 'https://from-lookup.example/cm.json')
     const mw = createSecurityHeadersMiddleware({ authFlowLookup: lookup })
diff --git a/packages/auth-service/src/index.ts b/packages/auth-service/src/index.ts
index b5001cea..9ab04fd4 100644
--- a/packages/auth-service/src/index.ts
+++ b/packages/auth-service/src/index.ts
@@ -99,17 +99,21 @@ export function createAuthService(config: AuthServiceConfig): {
 
   // Metrics endpoint (protect with admin auth in production)
   app.get('/metrics', (req, res) => {
+    // Metrics expose process-level signal (uptime, RSS, DB counts) that
+    // we don't want leaking unauthenticated. Deny-by-default: if no
+    // admin password is configured, the endpoint is unavailable rather
+    // than open.
     const adminPassword = process.env.PDS_ADMIN_PASSWORD
-    if (adminPassword) {
-      const authHeader = req.headers.authorization
-      if (
-        !authHeader ||
-        authHeader !==
-          'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
-      ) {
-        res.status(401).json({ error: 'Unauthorized' })
-        return
-      }
+    if (!adminPassword) {
+      res.status(401).json({ error: 'Unauthorized' })
+      return
+    }
+    const authHeader = req.headers.authorization
+    const expected =
+      'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
+    if (!authHeader || authHeader !== expected) {
+      res.status(401).json({ error: 'Unauthorized' })
+      return
     }
     const metrics = ctx.db.getMetrics()
     res.json({
diff --git a/packages/auth-service/src/lib/security-headers.ts b/packages/auth-service/src/lib/security-headers.ts
index 8ea986a8..75fb2c8d 100644
--- a/packages/auth-service/src/lib/security-headers.ts
+++ b/packages/auth-service/src/lib/security-headers.ts
@@ -14,6 +14,8 @@
  * chooser-enrichment middleware factories in pds-core.
  */
 
+import { randomBytes } from 'node:crypto'
+
 /**
  * Build the `img-src` directive for the auth-service's CSP. Always
  * includes `'self'` and `data:`. If a `client_id` is supplied AND it
@@ -41,12 +43,24 @@ export function buildImgSrcDirective(clientId?: string | null): string {
  * Build the full Content-Security-Policy header value used by the
  * auth-service. Composed of fixed directives plus a dynamically
  * computed `img-src`.
+ *
+ * When `nonce` is supplied, `script-src` uses `'nonce-<value>'` in
+ * place of `'unsafe-inline'`. Callers that stamp the matching nonce
+ * onto their inline `<script>` tags therefore get a strict CSP; those
+ * that don't supply a nonce fall back to `'unsafe-inline'` so the
+ * helper stays useful in non-request contexts.
  */
-export function buildAuthServiceCsp(clientId?: string | null): string {
+export function buildAuthServiceCsp(
+  clientId?: string | null,
+  nonce?: string | null,
+): string {
   const imgSrc = buildImgSrcDirective(clientId)
+  const scriptSrc = nonce
+    ? `script-src 'self' 'nonce-${nonce}'`
+    : "script-src 'self' 'unsafe-inline'"
   return [
     "default-src 'self'",
-    "script-src 'self' 'unsafe-inline'",
+    scriptSrc,
     "style-src 'self' 'unsafe-inline'",
     `img-src ${imgSrc}`,
     "connect-src 'self'",
@@ -60,6 +74,13 @@ export function buildAuthServiceCsp(clientId?: string | null): string {
  */
 export interface SecurityHeadersResponse {
   setHeader: (name: string, value: string) => unknown
+  /**
+   * Per-request scratchpad. Express's `res.locals` lives here; templates
+   * read `cspNonce` so they can stamp the matching `nonce="..."` onto
+   * inline `<script>` tags. Typed narrow to keep the helpers free of
+   * Express types.
+   */
+  locals: Record<string, unknown>
 }
 
 /**
@@ -143,8 +164,17 @@ export function createSecurityHeadersMiddleware(
     res.setHeader('X-Content-Type-Options', 'nosniff')
     res.setHeader('Referrer-Policy', 'no-referrer')
 
+    // Per-response nonce: lets script-src drop 'unsafe-inline' while still
+    // permitting the inline <script> tags ePDS ships, which are stamped
+    // with the matching nonce via res.locals.cspNonce.
+    const nonce = randomBytes(16).toString('base64url')
+    res.locals.cspNonce = nonce
+
     const clientId = resolveClientIdForCsp(req, authFlowLookup)
-    res.setHeader('Content-Security-Policy', buildAuthServiceCsp(clientId))
+    res.setHeader(
+      'Content-Security-Policy',
+      buildAuthServiceCsp(clientId, nonce),
+    )
     res.setHeader(
       'Strict-Transport-Security',
       'max-age=63072000; includeSubDomains; preload',
diff --git a/packages/auth-service/src/routes/choose-handle.ts b/packages/auth-service/src/routes/choose-handle.ts
index 7a097bc0..a6ccd4f4 100644
--- a/packages/auth-service/src/routes/choose-handle.ts
+++ b/packages/auth-service/src/routes/choose-handle.ts
@@ -200,6 +200,7 @@ export function createChooseHandleRouter(
           branding.customCss,
           branding.customFaviconUrl,
           branding.customFaviconUrlDark,
+          res.locals.cspNonce as string,
         ),
       )
   })
@@ -277,6 +278,7 @@ export function createChooseHandleRouter(
             branding.customCss,
             branding.customFaviconUrl,
             branding.customFaviconUrlDark,
+            res.locals.cspNonce as string,
           ),
         )
       return
@@ -312,6 +314,7 @@ export function createChooseHandleRouter(
               branding.customCss,
               branding.customFaviconUrl,
               branding.customFaviconUrlDark,
+              res.locals.cspNonce as string,
             ),
           )
         return
@@ -329,6 +332,7 @@ export function createChooseHandleRouter(
             branding.customCss,
             branding.customFaviconUrl,
             branding.customFaviconUrlDark,
+            res.locals.cspNonce as string,
           ),
         )
       return
@@ -346,6 +350,7 @@ export function createChooseHandleRouter(
             branding.customCss,
             branding.customFaviconUrl,
             branding.customFaviconUrlDark,
+            res.locals.cspNonce as string,
           ),
         )
       return
@@ -451,6 +456,7 @@ export function renderChooseHandlePage(
   customCss?: string | null,
   customFaviconUrl?: string | null,
   customFaviconUrlDark?: string | null,
+  cspNonce?: string,
 ): string {
   const errorHtml = error
     ? `<div class="error" id="error-msg">${escapeHtml(error)}</div>`
@@ -527,7 +533,7 @@ export function renderChooseHandlePage(
     </form>
   </div>
 
-  <script>
+  <script${cspNonce ? ` nonce="${escapeHtml(cspNonce)}"` : ''}>
     (function() {
       var input = document.getElementById('handle-input');
       var statusEl = document.getElementById('handle-status');
diff --git a/packages/auth-service/src/routes/login-page.ts b/packages/auth-service/src/routes/login-page.ts
index 310f1318..3889c095 100644
--- a/packages/auth-service/src/routes/login-page.ts
+++ b/packages/auth-service/src/routes/login-page.ts
@@ -406,6 +406,7 @@ export function createLoginPageRouter(ctx: AuthServiceContext): Router {
         initialStep,
         otpAlreadySent,
         csrfToken: res.locals.csrfToken,
+        cspNonce: res.locals.cspNonce as string,
         authBasePath: '/api/auth',
         pdsPublicUrl: ctx.config.pdsPublicUrl,
         termsOfServiceUrl: ctx.config.termsOfServiceUrl,
@@ -432,6 +433,7 @@ export function renderLoginPage(opts: {
   initialStep: 'email' | 'otp'
   otpAlreadySent: boolean
   csrfToken: string
+  cspNonce: string
   authBasePath: string
   pdsPublicUrl: string
   termsOfServiceUrl?: string
@@ -652,7 +654,7 @@ export function renderLoginPage(opts: {
     </a>
   </div>
 
-  <script>
+  <script nonce="${escapeHtml(opts.cspNonce)}">
     (function() {
       var authBasePath = ${JSON.stringify(opts.authBasePath)};
       var handleLoginUrl = ${JSON.stringify(handleLoginUrl)};
diff --git a/packages/auth-service/src/routes/preview.ts b/packages/auth-service/src/routes/preview.ts
index 7ac43efd..4c38627e 100644
--- a/packages/auth-service/src/routes/preview.ts
+++ b/packages/auth-service/src/routes/preview.ts
@@ -174,6 +174,7 @@ export function createPreviewRouter(ctx: AuthServiceContext): Router {
         currentService: 'auth',
         authPublicUrl,
         pdsPublicUrl,
+        cspNonce: res.locals.cspNonce as string,
       }),
     )
   })
@@ -217,6 +218,7 @@ export function createPreviewRouter(ctx: AuthServiceContext): Router {
         initialStep: 'email',
         otpAlreadySent: false,
         csrfToken: fakeCsrfToken(),
+        cspNonce: res.locals.cspNonce as string,
         authBasePath: '/api/auth',
         pdsPublicUrl: ctx.config.pdsPublicUrl,
         termsOfServiceUrl: ctx.config.termsOfServiceUrl,
@@ -245,6 +247,7 @@ export function createPreviewRouter(ctx: AuthServiceContext): Router {
         initialStep: 'otp',
         otpAlreadySent: true,
         csrfToken: fakeCsrfToken(),
+        cspNonce: res.locals.cspNonce as string,
         authBasePath: '/api/auth',
         pdsPublicUrl: ctx.config.pdsPublicUrl,
         termsOfServiceUrl: ctx.config.termsOfServiceUrl,
diff --git a/packages/shared/src/index.ts b/packages/shared/src/index.ts
index 16988b3d..0e1ff7aa 100644
--- a/packages/shared/src/index.ts
+++ b/packages/shared/src/index.ts
@@ -59,6 +59,7 @@ export {
   PREVIEW_CACHE_STATUS_HTML,
   PREVIEW_CLIENT_ID_INPUT_HTML,
   PREVIEW_CLIENT_ID_SCRIPT_HTML,
+  previewClientIdScriptHtml,
   AUTH_PREVIEW_ROUTES,
   PDS_PREVIEW_ROUTES,
   renderPreviewLinksSections,
diff --git a/packages/shared/src/preview-ui.ts b/packages/shared/src/preview-ui.ts
index e45f8a01..223a7588 100644
--- a/packages/shared/src/preview-ui.ts
+++ b/packages/shared/src/preview-ui.ts
@@ -354,6 +354,12 @@ export function renderPreviewIndexPage(opts: {
   currentService: 'auth' | 'pds'
   authPublicUrl: string
   pdsPublicUrl: string
+  /**
+   * CSP nonce to stamp on the inline <script>. Required on services that
+   * emit a `script-src 'nonce-...'` CSP (auth-service); omit on services
+   * that don't set a CSP (pds-core).
+   */
+  cspNonce?: string
 }): string {
   const serviceName =
     opts.currentService === 'auth' ? 'auth-service' : 'pds-core'
@@ -382,7 +388,7 @@ export function renderPreviewIndexPage(opts: {
   <p>Alternatively, skip the field and append this query string to any of the links above:</p>
   <pre><code>?client_id=&lt;URL-of-your-client-metadata.json&gt;</code></pre>
   ${PREVIEW_CACHE_STATUS_HTML}
-  ${PREVIEW_CLIENT_ID_SCRIPT_HTML}
+  ${previewClientIdScriptHtml(opts.cspNonce)}
 </body>
 </html>`
 }
@@ -413,8 +419,7 @@ export const PREVIEW_CACHE_STATUS_HTML = `<section id="cache-status" class="cach
  * interpolated from user input — so it's safe to embed verbatim inside
  * a <script> tag.
  */
-export const PREVIEW_CLIENT_ID_SCRIPT_HTML = `<script>
-(function () {
+const PREVIEW_CLIENT_ID_SCRIPT_BODY = `(function () {
   var STORAGE_KEY = 'epds:preview:client_id';
   var input = document.getElementById('client-id-input');
   // Single shared link-rewriter so per-link controls and the
@@ -684,4 +689,22 @@ export const PREVIEW_CLIENT_ID_SCRIPT_HTML = `<script>
     setInterval(render, 1000);
   }
 })();
-</script>`
+`
+
+/**
+ * Inline <script> tag that wires the preview index page. If `cspNonce` is
+ * passed, the tag is stamped with `nonce="..."` so it passes a
+ * `script-src 'nonce-...'` CSP; otherwise it's emitted bare (for services
+ * like pds-core that don't set a CSP on preview pages).
+ */
+export function previewClientIdScriptHtml(cspNonce?: string): string {
+  const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : ''
+  return `<script${nonceAttr}>\n${PREVIEW_CLIENT_ID_SCRIPT_BODY}</script>`
+}
+
+/**
+ * Back-compat: the no-nonce variant of the inline script tag. Callers on
+ * services that set a CSP with `script-src 'nonce-...'` must use
+ * {@link previewClientIdScriptHtml} instead, passing the request nonce.
+ */
+export const PREVIEW_CLIENT_ID_SCRIPT_HTML = previewClientIdScriptHtml()

From 5b31f3b0cab7840824c5c0013e98161fe411cfcb Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Tue, 21 Apr 2026 22:27:18 +0000
Subject: [PATCH 2/8] fix(auth-service): review follow-ups on CSP nonce +
 /metrics auth

- Thread cspNonce through 3 missed renderChooseHandlePage call sites
  (the /_internal/check-handle catch arm in choose-handle.ts, plus
  both /preview/choose-handle routes). Without the nonce argument the
  template emits a bare <script> tag which the strict CSP blocks,
  silently killing handle-picker interactivity on those paths.
- Use timingSafeEqual() for the /metrics Basic-auth header check so
  the secret comparison doesn't leak timing information.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 packages/auth-service/src/index.ts          | 8 ++++++--
 packages/auth-service/src/routes/preview.ts | 1 +
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/auth-service/src/index.ts b/packages/auth-service/src/index.ts
index 9ab04fd4..5324175b 100644
--- a/packages/auth-service/src/index.ts
+++ b/packages/auth-service/src/index.ts
@@ -1,4 +1,8 @@
-import { createLogger, getEpdsVersion } from '@certified-app/shared'
+import {
+  createLogger,
+  getEpdsVersion,
+  timingSafeEqual,
+} from '@certified-app/shared'
 import express from 'express'
 import cookieParser from 'cookie-parser'
 import * as path from 'node:path'
@@ -111,7 +115,7 @@ export function createAuthService(config: AuthServiceConfig): {
     const authHeader = req.headers.authorization
     const expected =
       'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
-    if (!authHeader || authHeader !== expected) {
+    if (!authHeader || !timingSafeEqual(authHeader, expected)) {
       res.status(401).json({ error: 'Unauthorized' })
       return
     }
diff --git a/packages/auth-service/src/routes/preview.ts b/packages/auth-service/src/routes/preview.ts
index 4c38627e..278f058e 100644
--- a/packages/auth-service/src/routes/preview.ts
+++ b/packages/auth-service/src/routes/preview.ts
@@ -280,6 +280,7 @@ export function createPreviewRouter(ctx: AuthServiceContext): Router {
         css,
         faviconUrl,
         faviconUrlDark,
+        res.locals.cspNonce as string,
       ),
     )
   })

From 864143691acdebf94a40a6797a31629136c52d7c Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Tue, 21 Apr 2026 22:33:20 +0000
Subject: [PATCH 3/8] fix(auth-service): copilot review follow-ups

- Emit `WWW-Authenticate: Basic realm="metrics"` on every 401 from
  /metrics so HTTP Basic tooling is told which scheme to use (per
  RFC 7235).
- Escape the CSP nonce before embedding it in the preview index's
  inline <script nonce="..."> attribute. Current callers pass a
  base64url crypto.randomBytes(16) value which is already attribute-
  safe, but escapeHtml here is cheap defence-in-depth if that ever
  changes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 packages/auth-service/src/index.ts | 10 ++++++++--
 packages/shared/src/preview-ui.ts  |  7 ++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/packages/auth-service/src/index.ts b/packages/auth-service/src/index.ts
index 5324175b..b416bec3 100644
--- a/packages/auth-service/src/index.ts
+++ b/packages/auth-service/src/index.ts
@@ -109,14 +109,20 @@ export function createAuthService(config: AuthServiceConfig): {
     // than open.
     const adminPassword = process.env.PDS_ADMIN_PASSWORD
     if (!adminPassword) {
-      res.status(401).json({ error: 'Unauthorized' })
+      res
+        .set('WWW-Authenticate', 'Basic realm="metrics"')
+        .status(401)
+        .json({ error: 'Unauthorized' })
       return
     }
     const authHeader = req.headers.authorization
     const expected =
       'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
     if (!authHeader || !timingSafeEqual(authHeader, expected)) {
-      res.status(401).json({ error: 'Unauthorized' })
+      res
+        .set('WWW-Authenticate', 'Basic realm="metrics"')
+        .status(401)
+        .json({ error: 'Unauthorized' })
       return
     }
     const metrics = ctx.db.getMetrics()
diff --git a/packages/shared/src/preview-ui.ts b/packages/shared/src/preview-ui.ts
index 223a7588..c61ebb8b 100644
--- a/packages/shared/src/preview-ui.ts
+++ b/packages/shared/src/preview-ui.ts
@@ -6,6 +6,8 @@
  * both services.
  */
 
+import { escapeHtml } from './html.js'
+
 /**
  * <label> + <input> markup for the persisted client_id field. The
  * surrounding page is expected to have CSS that styles label/input — we
@@ -698,7 +700,10 @@ const PREVIEW_CLIENT_ID_SCRIPT_BODY = `(function () {
  * like pds-core that don't set a CSP on preview pages).
  */
 export function previewClientIdScriptHtml(cspNonce?: string): string {
-  const nonceAttr = cspNonce ? ` nonce="${cspNonce}"` : ''
+  // escapeHtml defence-in-depth: callers currently pass a base64url
+  // crypto.randomBytes(16) nonce so nothing unsafe reaches this attribute,
+  // but escaping keeps the helper safe if that ever changes.
+  const nonceAttr = cspNonce ? ` nonce="${escapeHtml(cspNonce)}"` : ''
   return `<script${nonceAttr}>\n${PREVIEW_CLIENT_ID_SCRIPT_BODY}</script>`
 }
 

From 9a0c74a249b876eea5325e5e46c6e9652ef5ae5e Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Tue, 21 Apr 2026 22:38:19 +0000
Subject: [PATCH 4/8] test(auth-service): unit-test /metrics Basic auth check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extract the /metrics auth-check branching into a pure
checkMetricsAuth() helper in lib/metrics-auth.ts. The route handler
in index.ts becomes a thin wrapper that maps the helper's result
onto the Express response.

Covers every branch:
  - adminPassword unset or empty → 401 even with a valid-looking header
  - adminPassword set, header missing/empty → 401
  - wrong password, wrong username, wrong scheme → 401
  - length-matched-but-different payload → 401 (regression guard for
    timingSafeEqual short-circuit behaviour)
  - matching Basic admin:<password> → ok

Every 401 path carries WWW-Authenticate: Basic realm="metrics".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../src/__tests__/metrics-auth.test.ts        | 76 +++++++++++++++++++
 packages/auth-service/src/index.ts            | 36 +++------
 packages/auth-service/src/lib/metrics-auth.ts | 58 ++++++++++++++
 3 files changed, 144 insertions(+), 26 deletions(-)
 create mode 100644 packages/auth-service/src/__tests__/metrics-auth.test.ts
 create mode 100644 packages/auth-service/src/lib/metrics-auth.ts

diff --git a/packages/auth-service/src/__tests__/metrics-auth.test.ts b/packages/auth-service/src/__tests__/metrics-auth.test.ts
new file mode 100644
index 00000000..e0d517ae
--- /dev/null
+++ b/packages/auth-service/src/__tests__/metrics-auth.test.ts
@@ -0,0 +1,76 @@
+import { describe, it, expect } from 'vitest'
+import { checkMetricsAuth } from '../lib/metrics-auth.js'
+
+function basic(user: string, password: string): string {
+  return 'Basic ' + Buffer.from(`${user}:${password}`).toString('base64')
+}
+
+describe('checkMetricsAuth', () => {
+  describe('deny-by-default (no admin password configured)', () => {
+    it('returns 401 when adminPassword is undefined, even with a header', () => {
+      const r = checkMetricsAuth(basic('admin', 'whatever'), undefined)
+      expect(r.ok).toBe(false)
+      if (!r.ok) {
+        expect(r.status).toBe(401)
+        expect(r.headers['WWW-Authenticate']).toBe('Basic realm="metrics"')
+        expect(r.body).toEqual({ error: 'Unauthorized' })
+      }
+    })
+
+    it('returns 401 when adminPassword is an empty string', () => {
+      const r = checkMetricsAuth(basic('admin', 'whatever'), '')
+      expect(r.ok).toBe(false)
+    })
+
+    it('returns 401 when both adminPassword and header are missing', () => {
+      const r = checkMetricsAuth(undefined, undefined)
+      expect(r.ok).toBe(false)
+    })
+  })
+
+  describe('password configured', () => {
+    const adminPassword = 'supersecret'
+
+    it('returns 401 when Authorization header is missing', () => {
+      const r = checkMetricsAuth(undefined, adminPassword)
+      expect(r.ok).toBe(false)
+      if (!r.ok) {
+        expect(r.headers['WWW-Authenticate']).toBe('Basic realm="metrics"')
+      }
+    })
+
+    it('returns 401 when Authorization header is the empty string', () => {
+      const r = checkMetricsAuth('', adminPassword)
+      expect(r.ok).toBe(false)
+    })
+
+    it('returns 401 when the password is wrong', () => {
+      const r = checkMetricsAuth(basic('admin', 'wrong'), adminPassword)
+      expect(r.ok).toBe(false)
+    })
+
+    it('returns 401 when the username is not "admin"', () => {
+      const r = checkMetricsAuth(basic('root', adminPassword), adminPassword)
+      expect(r.ok).toBe(false)
+    })
+
+    it('returns 401 when the header uses a different scheme (Bearer)', () => {
+      const r = checkMetricsAuth(`Bearer ${adminPassword}`, adminPassword)
+      expect(r.ok).toBe(false)
+    })
+
+    it('accepts a correctly formed Basic header with matching password', () => {
+      const r = checkMetricsAuth(basic('admin', adminPassword), adminPassword)
+      expect(r.ok).toBe(true)
+    })
+
+    it('rejects a header whose length happens to match the expected value', () => {
+      // Guard against a regression that would short-circuit timingSafeEqual
+      // when lengths differ. Use a same-length but different payload.
+      const expected = basic('admin', adminPassword)
+      const samelengthWrong = 'X'.repeat(expected.length)
+      const r = checkMetricsAuth(samelengthWrong, adminPassword)
+      expect(r.ok).toBe(false)
+    })
+  })
+})
diff --git a/packages/auth-service/src/index.ts b/packages/auth-service/src/index.ts
index b416bec3..cc5f95f5 100644
--- a/packages/auth-service/src/index.ts
+++ b/packages/auth-service/src/index.ts
@@ -1,8 +1,4 @@
-import {
-  createLogger,
-  getEpdsVersion,
-  timingSafeEqual,
-} from '@certified-app/shared'
+import { createLogger, getEpdsVersion } from '@certified-app/shared'
 import express from 'express'
 import cookieParser from 'cookie-parser'
 import * as path from 'node:path'
@@ -25,6 +21,7 @@ import { createRootRouter } from './routes/root.js'
 import { createTestHooksRouter } from './routes/test-hooks.js'
 import { resolveAuthPort } from './lib/resolve-port.js'
 import { createSecurityHeadersMiddleware } from './lib/security-headers.js'
+import { checkMetricsAuth } from './lib/metrics-auth.js'
 import {
   validateOtpCharset,
   validateOtpLength,
@@ -101,28 +98,15 @@ export function createAuthService(config: AuthServiceConfig): {
   app.use(createPreviewRouter(ctx))
   app.use(createPreviewEmailsRouter(ctx))
 
-  // Metrics endpoint (protect with admin auth in production)
+  // Metrics endpoint — HTTP Basic auth, deny-by-default. See
+  // packages/auth-service/src/lib/metrics-auth.ts for the rules.
   app.get('/metrics', (req, res) => {
-    // Metrics expose process-level signal (uptime, RSS, DB counts) that
-    // we don't want leaking unauthenticated. Deny-by-default: if no
-    // admin password is configured, the endpoint is unavailable rather
-    // than open.
-    const adminPassword = process.env.PDS_ADMIN_PASSWORD
-    if (!adminPassword) {
-      res
-        .set('WWW-Authenticate', 'Basic realm="metrics"')
-        .status(401)
-        .json({ error: 'Unauthorized' })
-      return
-    }
-    const authHeader = req.headers.authorization
-    const expected =
-      'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
-    if (!authHeader || !timingSafeEqual(authHeader, expected)) {
-      res
-        .set('WWW-Authenticate', 'Basic realm="metrics"')
-        .status(401)
-        .json({ error: 'Unauthorized' })
+    const auth = checkMetricsAuth(
+      req.headers.authorization,
+      process.env.PDS_ADMIN_PASSWORD,
+    )
+    if (!auth.ok) {
+      res.set(auth.headers).status(auth.status).json(auth.body)
       return
     }
     const metrics = ctx.db.getMetrics()
diff --git a/packages/auth-service/src/lib/metrics-auth.ts b/packages/auth-service/src/lib/metrics-auth.ts
new file mode 100644
index 00000000..449d23b5
--- /dev/null
+++ b/packages/auth-service/src/lib/metrics-auth.ts
@@ -0,0 +1,58 @@
+/**
+ * HTTP Basic authentication check for the /metrics endpoint.
+ *
+ * Deny-by-default: if `PDS_ADMIN_PASSWORD` is unset the endpoint is
+ * unavailable rather than open — historically an unset password meant
+ * "no auth required", which leaked process uptime, RSS, and DB
+ * counters. Operators who want to scrape /metrics must set
+ * `PDS_ADMIN_PASSWORD` and send HTTP Basic auth as `admin:<password>`.
+ *
+ * Kept as a pure helper so the wiring in the /metrics handler is a
+ * thin wrapper and the branching logic is unit-testable without
+ * spinning up Express.
+ */
+import { timingSafeEqual } from '@certified-app/shared'
+
+/**
+ * Result of the /metrics Basic-auth check. When `ok` is false the
+ * caller should return a 401 with both `headers` set (for RFC 7235
+ * `WWW-Authenticate`) and `body` as the JSON payload.
+ */
+export type MetricsAuthResult =
+  | { ok: true }
+  | {
+      ok: false
+      status: 401
+      headers: { 'WWW-Authenticate': string }
+      body: { error: string }
+    }
+
+const UNAUTHORIZED: Extract<MetricsAuthResult, { ok: false }> = {
+  ok: false,
+  status: 401,
+  headers: { 'WWW-Authenticate': 'Basic realm="metrics"' },
+  body: { error: 'Unauthorized' },
+}
+
+/**
+ * Validate the `Authorization` header for a /metrics request against
+ * the configured admin password.
+ *
+ *   - `adminPassword` unset/empty → always 401 (deny-by-default)
+ *   - Header missing → 401
+ *   - Header present but does not match `Basic <base64(admin:<pw>)>` →
+ *     401 (comparison uses `timingSafeEqual` to avoid leaking the
+ *     password byte-by-byte)
+ *   - Header matches → `{ ok: true }`
+ */
+export function checkMetricsAuth(
+  authHeader: string | undefined,
+  adminPassword: string | undefined,
+): MetricsAuthResult {
+  if (!adminPassword) return UNAUTHORIZED
+  if (!authHeader) return UNAUTHORIZED
+  const expected =
+    'Basic ' + Buffer.from('admin:' + adminPassword).toString('base64')
+  if (!timingSafeEqual(authHeader, expected)) return UNAUTHORIZED
+  return { ok: true }
+}

From 43ff66562053497cd32084e91b71ae6c82376d0f Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Tue, 21 Apr 2026 22:52:18 +0000
Subject: [PATCH 5/8] docs(shared): clarify previewClientIdScriptHtml no-nonce
 branch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The existing docstring claimed pds-core "doesn't set a CSP on preview
pages", which was misleading — pds-core's /preview/consent route does
set a CSP, it just uses 'unsafe-inline' rather than a nonce. Reword
so the no-nonce branch is explicitly described as for CSPs that allow
inline scripts without a nonce.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 packages/shared/src/preview-ui.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/shared/src/preview-ui.ts b/packages/shared/src/preview-ui.ts
index c61ebb8b..883591ae 100644
--- a/packages/shared/src/preview-ui.ts
+++ b/packages/shared/src/preview-ui.ts
@@ -696,8 +696,9 @@ const PREVIEW_CLIENT_ID_SCRIPT_BODY = `(function () {
 /**
  * Inline <script> tag that wires the preview index page. If `cspNonce` is
  * passed, the tag is stamped with `nonce="..."` so it passes a
- * `script-src 'nonce-...'` CSP; otherwise it's emitted bare (for services
- * like pds-core that don't set a CSP on preview pages).
+ * `script-src 'nonce-...'` CSP. Otherwise the tag is emitted bare, which
+ * only works for callers whose CSP permits this inline script without a
+ * nonce (e.g. a `script-src` that still includes `'unsafe-inline'`).
  */
 export function previewClientIdScriptHtml(cspNonce?: string): string {
   // escapeHtml defence-in-depth: callers currently pass a base64url

From 82e5bf3c00e8e150119cb0ec9960ca54aa4edecd Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Tue, 21 Apr 2026 23:36:54 +0000
Subject: [PATCH 6/8] fix(shared): timingSafeEqual byte-length check +
 CodeRabbit follow-ups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- shared.timingSafeEqual: compare UTF-8 byte lengths, not JS code units.
  Previously a non-ASCII input with the same .length as the expected
  value would reach crypto.timingSafeEqual with different byte lengths
  and throw RangeError — turning a 401 into a 500. Guards every
  caller (metrics-auth, recovery, callback signatures).
- metrics-auth: regression test for non-ASCII Authorization header
  with matching code-unit length.
- security.steps.ts: Headers.getSetCookie() for reliable multi-cookie
  access; nonce step now fetches twice and asserts nonces differ, so
  a hardcoded constant would no longer pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 e2e/step-definitions/security.steps.ts        | 45 +++++++++++++++----
 .../src/__tests__/metrics-auth.test.ts        | 14 ++++++
 packages/shared/src/__tests__/crypto.test.ts  | 12 +++++
 packages/shared/src/crypto.ts                 | 20 +++++++--
 4 files changed, 79 insertions(+), 12 deletions(-)

diff --git a/e2e/step-definitions/security.steps.ts b/e2e/step-definitions/security.steps.ts
index a58c38e3..ae6ad325 100644
--- a/e2e/step-definitions/security.steps.ts
+++ b/e2e/step-definitions/security.steps.ts
@@ -55,10 +55,15 @@ When('the recovery page is loaded', async function (this: EpdsWorld) {
 
 Then('the response sets a CSRF cookie', function (this: EpdsWorld) {
   const { headers } = getCapturedResponse(this)
-  const setCookie = headers.get('set-cookie') ?? ''
-  if (!/epds_csrf=/.test(setCookie)) {
+  // `headers.get('set-cookie')` collapses multiple Set-Cookie values
+  // into a single comma-separated string in the Fetch API, which is
+  // ambiguous because cookie values may themselves contain commas
+  // (e.g. Expires=Thu, 01 Jan …). Use Headers.getSetCookie() (Node
+  // >=18) to get each cookie as its own entry.
+  const setCookies = headers.getSetCookie()
+  if (!setCookies.some((cookie) => /^epds_csrf=/.test(cookie))) {
     throw new Error(
-      `Expected Set-Cookie to include epds_csrf=..., got: ${setCookie || '(none)'}`,
+      `Expected Set-Cookie to include epds_csrf=..., got: ${setCookies.join(', ') || '(none)'}`,
     )
   }
 })
@@ -186,14 +191,38 @@ Then(
   },
 )
 
+function extractScriptSrcNonce(csp: string): string {
+  const scriptSrc = getScriptSrcDirective(csp)
+  const match = /'nonce-([A-Za-z0-9_-]+)'/.exec(scriptSrc)
+  if (!match) {
+    throw new Error(`script-src directive has no 'nonce-...': "${scriptSrc}"`)
+  }
+  return match[1]
+}
+
 Then(
   'the script-src directive carries a per-response nonce',
-  function (this: EpdsWorld) {
+  async function (this: EpdsWorld) {
+    // Assert two things: (a) the current response has a nonce-shaped
+    // token in script-src, and (b) the nonce is freshly generated per
+    // response — otherwise a hardcoded constant would pass (a) but
+    // defeat the whole point of a CSP nonce. Hit the same endpoint a
+    // second time and compare.
     const { headers } = getCapturedResponse(this)
-    const csp = headers.get('content-security-policy') ?? ''
-    const scriptSrc = getScriptSrcDirective(csp)
-    if (!/'nonce-[A-Za-z0-9_-]+'/.test(scriptSrc)) {
-      throw new Error(`script-src directive has no 'nonce-...': "${scriptSrc}"`)
+    const firstCsp = headers.get('content-security-policy') ?? ''
+    const firstNonce = extractScriptSrcNonce(firstCsp)
+
+    const previewUrl = `${testEnv.authUrl}/preview/login`
+    let second = await fetch(previewUrl, { redirect: 'manual' })
+    if (second.status === 404) {
+      second = await fetch(`${testEnv.authUrl}/health`, { redirect: 'manual' })
+    }
+    const secondCsp = second.headers.get('content-security-policy') ?? ''
+    const secondNonce = extractScriptSrcNonce(secondCsp)
+    if (firstNonce === secondNonce) {
+      throw new Error(
+        `CSP nonce reused across responses: "${firstNonce}" — expected a fresh nonce per request`,
+      )
     }
   },
 )
diff --git a/packages/auth-service/src/__tests__/metrics-auth.test.ts b/packages/auth-service/src/__tests__/metrics-auth.test.ts
index e0d517ae..c56431e4 100644
--- a/packages/auth-service/src/__tests__/metrics-auth.test.ts
+++ b/packages/auth-service/src/__tests__/metrics-auth.test.ts
@@ -72,5 +72,19 @@ describe('checkMetricsAuth', () => {
       const r = checkMetricsAuth(samelengthWrong, adminPassword)
       expect(r.ok).toBe(false)
     })
+
+    it('rejects a non-ASCII header with the same code-unit length as expected', () => {
+      // Guard against the timingSafeEqual footgun where an attacker
+      // can trigger RangeError (500) instead of 401 by sending a
+      // header whose JS .length matches but whose UTF-8 byte length
+      // does not (e.g. multibyte chars). Must return 401, not throw.
+      const expected = basic('admin', adminPassword)
+      const sameCodeUnitsWrong = 'é'.repeat(expected.length)
+      expect(() =>
+        checkMetricsAuth(sameCodeUnitsWrong, adminPassword),
+      ).not.toThrow()
+      const r = checkMetricsAuth(sameCodeUnitsWrong, adminPassword)
+      expect(r.ok).toBe(false)
+    })
   })
 })
diff --git a/packages/shared/src/__tests__/crypto.test.ts b/packages/shared/src/__tests__/crypto.test.ts
index d3dba60b..4fe7d031 100644
--- a/packages/shared/src/__tests__/crypto.test.ts
+++ b/packages/shared/src/__tests__/crypto.test.ts
@@ -57,6 +57,18 @@ describe('timingSafeEqual', () => {
   it('returns false for different lengths', () => {
     expect(timingSafeEqual('short', 'longer-string')).toBe(false)
   })
+
+  it('returns false (no throw) for inputs of equal code-unit length but different byte length', () => {
+    // Guards against a regression where the length check was done in
+    // JavaScript code units (a.length) but the underlying
+    // crypto.timingSafeEqual compares UTF-8 byte length, which throws
+    // RangeError when the two differ. A non-ASCII attacker-supplied
+    // value trivially hits this path.
+    const ascii = 'x'.repeat(30)
+    const nonAscii = 'é'.repeat(30)
+    expect(() => timingSafeEqual(nonAscii, ascii)).not.toThrow()
+    expect(timingSafeEqual(nonAscii, ascii)).toBe(false)
+  })
 })
 
 describe('verifyInternalSecret', () => {
diff --git a/packages/shared/src/crypto.ts b/packages/shared/src/crypto.ts
index c97b624a..fc83d71d 100644
--- a/packages/shared/src/crypto.ts
+++ b/packages/shared/src/crypto.ts
@@ -24,14 +24,26 @@ export function hashToken(token: string): string {
   return crypto.createHash('sha256').update(token).digest('hex')
 }
 
-/** Timing-safe comparison of two strings. */
+/**
+ * Timing-safe comparison of two strings.
+ *
+ * Encodes both inputs as UTF-8 Buffers and compares by byte length.
+ * Comparing `a.length !== b.length` (JavaScript code units) is not
+ * sufficient: a non-ASCII input with the same code-unit count as the
+ * expected value has a different UTF-8 byte length, and
+ * `crypto.timingSafeEqual` throws `RangeError` when byte lengths
+ * differ. This matters for any caller that feeds attacker-controlled
+ * text (HTTP headers, cookies) in as `a`.
+ */
 export function timingSafeEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) {
-    const dummy = Buffer.alloc(a.length)
+  const ab = Buffer.from(a)
+  const bb = Buffer.from(b)
+  if (ab.length !== bb.length) {
+    const dummy = Buffer.alloc(bb.length)
     crypto.timingSafeEqual(dummy, dummy)
     return false
   }
-  return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))
+  return crypto.timingSafeEqual(ab, bb)
 }
 
 /**

From 2ceaded6cd7384ac7177268dedf63ff3879a2f66 Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Wed, 22 Apr 2026 11:24:48 +0000
Subject: [PATCH 7/8] fix(auth-service): make cspNonce required on
 renderChooseHandlePage
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- renderChooseHandlePage: promote cspNonce to a required parameter and
  always stamp nonce="..." on the inline <script>. All 5 call sites
  already pass res.locals.cspNonce, so the previous `cspNonce?` +
  conditional fallback only served to mask a future wiring bug where
  a caller forgot the nonce — the CSP is now nonce-based, so missing
  nonce means broken page, not graceful degradation.
- preview-ui: reword renderPreviewIndexPage cspNonce docstring. pds-core
  does serve at least one preview page (/preview/consent) under a CSP
  with 'unsafe-inline', so "omit when the service doesn't set a CSP"
  was misleading; frame the rule around the page's CSP rather than
  the service.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../auth-service/src/routes/choose-handle.ts     | 16 ++++++++--------
 packages/shared/src/preview-ui.ts                |  8 +++++---
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/packages/auth-service/src/routes/choose-handle.ts b/packages/auth-service/src/routes/choose-handle.ts
index a6ccd4f4..46431284 100644
--- a/packages/auth-service/src/routes/choose-handle.ts
+++ b/packages/auth-service/src/routes/choose-handle.ts
@@ -450,13 +450,13 @@ export function createChooseHandleRouter(
 
 export function renderChooseHandlePage(
   handleDomain: string,
-  error?: string,
-  csrfToken?: string,
-  showRandomButton?: boolean,
-  customCss?: string | null,
-  customFaviconUrl?: string | null,
-  customFaviconUrlDark?: string | null,
-  cspNonce?: string,
+  error: string | undefined,
+  csrfToken: string | undefined,
+  showRandomButton: boolean,
+  customCss: string | null,
+  customFaviconUrl: string | null,
+  customFaviconUrlDark: string | null,
+  cspNonce: string,
 ): string {
   const errorHtml = error
     ? `<div class="error" id="error-msg">${escapeHtml(error)}</div>`
@@ -533,7 +533,7 @@ export function renderChooseHandlePage(
     </form>
   </div>
 
-  <script${cspNonce ? ` nonce="${escapeHtml(cspNonce)}"` : ''}>
+  <script nonce="${escapeHtml(cspNonce)}">
     (function() {
       var input = document.getElementById('handle-input');
       var statusEl = document.getElementById('handle-status');
diff --git a/packages/shared/src/preview-ui.ts b/packages/shared/src/preview-ui.ts
index 883591ae..75169153 100644
--- a/packages/shared/src/preview-ui.ts
+++ b/packages/shared/src/preview-ui.ts
@@ -357,9 +357,11 @@ export function renderPreviewIndexPage(opts: {
   authPublicUrl: string
   pdsPublicUrl: string
   /**
-   * CSP nonce to stamp on the inline <script>. Required on services that
-   * emit a `script-src 'nonce-...'` CSP (auth-service); omit on services
-   * that don't set a CSP (pds-core).
+   * CSP nonce to stamp on the inline <script>. Required when this preview
+   * index is served with a `script-src 'nonce-...'` CSP (e.g. auth-service);
+   * omit when it's served with a policy that permits inline scripts
+   * without a nonce (e.g. pds-core's `/preview` index, which doesn't set
+   * a CSP at all, or any page served with `script-src ... 'unsafe-inline'`).
    */
   cspNonce?: string
 }): string {

From 1da0ec6b151450ca49372fdcf6dcb6910ba6e621 Mon Sep 17 00:00:00 2001
From: Adam Spiers <atproto@adamspiers.org>
Date: Wed, 22 Apr 2026 14:55:29 +0000
Subject: [PATCH 8/8] fix(e2e): drain fetch response bodies in CSP nonce step

Under Node's fetch/undici, an un-drained response body keeps the
socket open and can leave open-handles after the test exits. The
nonce-freshness check added a second fetch (and a 404-fallback
third) without consuming either body. Drain each response via
.text() before moving on, matching the pattern in captureGet().

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 e2e/step-definitions/security.steps.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/e2e/step-definitions/security.steps.ts b/e2e/step-definitions/security.steps.ts
index ae6ad325..5d4819bd 100644
--- a/e2e/step-definitions/security.steps.ts
+++ b/e2e/step-definitions/security.steps.ts
@@ -212,10 +212,16 @@ Then(
     const firstCsp = headers.get('content-security-policy') ?? ''
     const firstNonce = extractScriptSrcNonce(firstCsp)
 
+    // Under Node's fetch/undici, an un-drained response body keeps the
+    // socket open and can leave open-handles after the test exits. Drain
+    // each response's body (via .text()) before moving on, matching the
+    // pattern in captureGet() above.
     const previewUrl = `${testEnv.authUrl}/preview/login`
     let second = await fetch(previewUrl, { redirect: 'manual' })
+    await second.text()
     if (second.status === 404) {
       second = await fetch(`${testEnv.authUrl}/health`, { redirect: 'manual' })
+      await second.text()
     }
     const secondCsp = second.headers.get('content-security-policy') ?? ''
     const secondNonce = extractScriptSrcNonce(secondCsp)